[gnutls-help] How to generate a private key and sign the certificate using GnuTLS API?

Nikos Mavrogiannopoulos nmav at gnutls.org
Tue Sep 17 15:43:34 CEST 2019

On Wed, Sep 4, 2019 at 4:43 AM Nicolas Mora <nicolas at babelouest.org> wrote:
> Hello,
> I'm trying to generate a private RSA key, extract a certificate and sign
> the certificate using the GnuTLS C API.
> Basically, I try to reproduce the following certtool commands using the
> API only:
> certtool --generate-privkey --outfile client.key --bits=4096
> certtool --generate-request --load-privkey client.key --outfile client.csr
> certtool --generate-certificate --load-request client.csr
> --load-ca-certificate root.crt --load-ca-privkey root.key --outfile
> client.crt
> The files root.key and root.crt already exist and contain the private
> key and self-signed certificate of the CA.
> I test with the code below but I got the following error message:
> error gnutls_x509_crt_sign2: -43
> What did I do wrong with my certificate?

Most likely you have already figured the issue, but in general a way
to debug such applications is by setting the GNUTLS_DEBUG_LEVEL
variable to a number from 3 to 9. It will provide more output which
can help figure the issue.


More information about the Gnutls-help mailing list